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ABSTRACT. We introduce a new class of public-key 
functions involving a number n = p-q_ having two 
large prime factors. As usual, the key n_ is public, 
while p and q are the private key used by the 
issuer for production of signatures and function 
inversion. These functions can be used for all the 
applications involving public-key functions proposed 
by Diffie and Hellman [2], including digitalized 
signatures. We prove that for any given n, if we 
can invert the function y = E(x) for even a small 
percentage of the values y then we can factor n 
Thus as long as factorization of large numbers 
remains practically intractable, for appropriatly 
chosen keys not even a small percentage of signatures 
are forgerable. Breaking the RSA function [6] is 
at most as hard as factorization,but is not known to 
be equivalent to factorization even in the weak sense 


that ability to invert all function values entails 


aoe 


ability to factor the key. Computation time for 
these functions, i.e. signature verification, is 
several hundred times faster than for the RSA scheme 
in [6]. Inversion time, using the private key, 

is comparable. The almost-everywhere intractability 
of signature-forgery for our functions (on the 
assumption that factoring is intractable) is of 
great practical significance and seems to be the 


first proved result of this kind. 


Key words. Public-key functions, Digitalized 


signatures, Factorization, Intractable problems. 
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INTRODUCTION 


In their fundamental paper [2] Diffie and 
Hellman have shown how public key trap door functions 
can be employed for the solution of various problems 
arising in electronic mail, including the production 
of digitalized signatures. An example of a public- 
key function usable for digitalized signatures was 
given in the elegant paper [6] by Rivest, Adelman, 
and Shamir, who introduced a trap-door one-way function 
employing a number n_ factorable into a product 
n = p-q of two large primes. The decoding algorithm 
given in [6] for this function requires knowledge 
of the factors p, q of n. It is, however, conceivable 
that another decoding algorithm exists that does not 
involve or imply factorization of n. Thus, breaking 
this one-way function is at most as diffficult as 
facterization: but possibly easier. 

We present a different public key function which 
can be used for digitalized signatures, and all the 
other applications, in the same way as the above- 
mentioned function. The function in [6] is I-1. 
Qur function is four to one, but this causes only 


slight modifications in the applications. 


a 


-For this new function we can prove that the 
ability to forge signatures or decode messages is 
equivalent to the ability to factor large numbers. 
In fact, for any given n, a signature forgery or 
inversion algorithm effective in just a small 
percentage of all cases, say one case in a thousand, 
already leads to a factorization of n By 
inversion we mean finding for a number y_ in the 
range of E one of the x such that E(x) = y. 

In view of the present-day intractability of 
the factorization problem, this fact lends substantial 
support to the viability of our public-key function. 
As long as. it is impossible in practice to factor 
large numbers, it will be impossible for a fixed key 
to forge signatures even for a small percentage of 
all messages. 

The fact that we are able to prove, on the 
assumption that factoring is hard, that for our 
function, for a fixed key n whose factorization 
is not given,inversion must be hard for almost all 
messages is of great significance. For other trap 
door functions it may be the case that even though 
worst case complexity or even average complexity 


are high, in say one percent of cases inversion is 
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easy. From a commercial point of view this would pose 
an unacceptable risk. For example, an adversary can 
randomly search by computer for messages useful to 
him, such as payment inetnuettons, on which he can 
euirae Signatures. To the best of our knowledge, we 
have in this article the first example of an almost 
everywhere difficult problem of this type. 

In addition, computation time for this function 
is several hundred times faster, and inversion 
when p,q are known,is about eight times’faster than 
the corresponding algorithms in [6]. If we invert 
the RSA function by Chinese Remaindering, as we do 
here, then inversion time for the two functions are 
comparable. 

Theorems 1 and 2 concerning the equivalence of 
square-root extraction with factorization, are perhaps 


also of independent number-theoretic interest. 
1. THE PUBLIC-KEY FUNCTION 


Let n= p-q_ be the product of two large primes 
Psq, and let O< b<n. 
DEFINITION 1: The function EY b (x) is defined for 
0 < x<n_ by En b bX) = x(xtb) modn, 0O< Eb x)<n. 
Computation of E(x), for fixed n,b, requires 


one addition, one multiplication, and one division of 


= 


x(x+b) by on to find the residue E, p(X) > Note 
that only the public key n,b, but not the factorization 


n = p-q, is required for encoding. 
2. INVERSION ALGORITHMS 


Given c = x(x+tb) modn, we want to find the 
four values O<x,<n, 1< i <4 such that E(x,) = c. 
We assume of course that the private key, i.e. the 
factors of n, are known. 

Throughout this paper res(A,B) will denote the 
residue of A when divided by B, and (A,B) will 
denote the areatess common divisor (g.c.d.) of A 
and B. 

The decoder, who is the issuer of the public 
key n,b, knows the factorization n= p-q. Clearly, 
it sufficies to solve the equation x(x+b) =c 
separately modp and modq_s and then find a solution 
modn. 

Let a be an integer so that a =1 modp, 

a =O modq, and »b satisfy b =1 modq, 
=modp. If r and s_ satisfy the congruence 
modp and modq_ respectively, then z = ar + bs 
solves the congruence modn, and x = res (z,n) 


is the sought-after solution. 


a 


In what follows let p be a fixed prime. We 
shall understand all integers a_ to be residues 
modp, i.e., O<a<p. For d a quadratic 
residue (q.r.) modp, Yd will denote any one of 
the two integers such that (Ya)? = modp, and 
- vd will denote p- /d. 

To solve 


(1) f(x) = x2 


+ bx - c =modp 


let d= b/2 modp then (x+d)* =c + d* modp, 
x =-d # ford, We can solve the equation (1) 
as soon as we can extract square roots modp, i.e., 
solve y? - m = 0 modp. 
Assume first that p= 4k - 1 so that 4|(pti). 


ae 


Since m isa q.r., m = }]modp. We claim that 


is 
(2) g = /m =m mod p 


is one of the two Starrs eee of m. Namely, 
2 = sae = mar = mmodp. 

Thus one implementation of the function would use p 
and q such that p = q = 3 mod 4, and the decoding algorithm 
(2): . 

For p = 4k + 1 we directly solve the equation (1) 
by a probabilistic algorithm. This is a special case of 


Berlekamp's root-finding in GF(p) algorithm given in [1]. 


The short proof given here is taken from [5], where 
generalizations to GF(p") appear. If the roots of (1) 


are a, Be GF(p) then x? + b x - c = (x - a) (x - 8) The 
me 


roots in GF(p) of the polynomial equation x - 120 
are exactly the quadratic residues ace GF(p). Consequently, 
if a is a quadratic residue while B is not, then 


pol 


B = -(bta) mod p are readily found. 


(x - 1, f(x)) = x - a, so that a and subsequently 
Assume that a and g are of the same type, i.e., 

both quadratic residues (q.r.) or both quadratic non-resi- 

dues mod p, and that a#8. Let 0 < 6 < p then a + & and 

8 + 6 are of the same type if and only if (até)/(8+té8) is 

aq.r. nod p. As 6 takes all values 0 < 6 < p except 


-B, the quotient (até)/(gts) takes all. values 


6 
0 < y < p except y = 1. Thus for exactly pt choices 
6, até and Bt+c will not be of the same type. 

Since f(x-6) = (x-a-6) (x-a-8), we have that for a 
nandom choice of 0 < 6 < p, with probability 1/2 


-1 
(3) (x * -1, f(x-6)) =x -a- 6 or x-B- &. 


Thus on the average two values of § have to be tried for 
finding the roots of (1). 

The computation of the g.c.d. (3) requires OClogap) 
operations in GF(p), i.e., additions and multiplications 
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mod p. Namely, by essentially repstes squarings start- 
ing with x, compute x + h = res(x » f(x-6)). Whenever 
a quadratic polynomial is encountered, divide by f(x-6) 
to produce a linear polynomial. Note that x is a formal 
variable so that all computations involve just pairs of 
residues mod p. Now by (3), x + h-1 is x -a- 6 or 


x - 6B - 6, so that -6 - h +1 is a root of (1). 


3. USE IN SIGNATURES 


To employ E for signatures the signer P produces 
two large primes p,q by use of one of the prime-testing 
algorithms [3,7]. He forms n = p*q, chooses a number 
0 <b <n and publicizes the pair (n,b) (but not the 
factors p,q). 

By convention, when wishing to sign a given message, 
M,P adds as suffix a word U of an agreed upon length k. 
The choice of U is randomized each time a message is to 
be signed. The signer now compresses M, = MU by a hash- 
ing function to a word C(M,) = c, so that as a binary 
number c <n; see [4]. The computation of C( ) is publicly 
known, so that c = C(M;) is checkable by everybody. 


P now checks whether for this c the congruence 


(4) x(x+b) = c mod n 
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is solvable. 

By the analysis of Section 2, this congruence is 
solvable if and only if m = c + d* is aq.r. mod p_ and 
mod q. Thus testing the solvability of (4) amounts to 
computing the Jacobi Symbols (5) and (a) which is 
essentially a g.c.d. type computation. 

If congruence (4) is not solvable then P picks another 
random U, and tries c,; = C(MU;). The expected number of 
tries is 4. When for some U_ the congruence (4) is 


solvable for c= C(MU), P finds a solution x. 


DEFINITION 2: For a given public key n,b used by P and 
an agreed upon compressing function C( ) and integer k, 
P's signature on a message M is a pair U,x where 

g(U) = k and x(x + b) = C(MU) mod n. 

Anybody can check P's’ signature by computing 
c = C(MU) and testing whether x(x+b) = c mod n. 

The randomization of the suffix U of M also adds 
protection against possible attacks on the function E. 
Without the suffix, an adversary may attempt to feed to 
P messages M for his signature, hoping to learn the 
factorization of n from the solution of x(xtb) = C(M) 
mod n ,which will be produced by P as his signature. 
Actually, this does not seem a serious threat because of 


the hashing effected by C(M). 


However, the randomized suffix of length k leads 
to essentially ok possible random values for c = C(MU). 
Thus for, say, k = 60, the adversary has no effective 


control over the congruence (4) that P will solve. 


4. INVERSION IS EQUIVALENT TO FACTORIZATION 


We now want to show that if an adversary can invert 
En btX) | by any algorithm then he can factor n. By invert- 
ing we mean finding for y one of the four x _ such that 
En bt) = y. Finding one such x is sufficient for the 
would be signature forger, so that we want to show that 
this is hard. Thus the problem of, say, forging P's 
signatures is exactly as intractable as the factorization 
of a number n which is a product of large primes. As 
mentioned in the Introduction, the scheme in [6] is at 
most as safe as factorization but conceivably easier to 
crack. 

In the following theorem we count an addition of num- 
bers a,b, < n as one operation. 

‘It is readily seen that if we can solve (4) for fixed 
n,b and arbitrary c then we can extract square roots, 
i.e., solve y? =m mod n_ whenever a solution exists. 
. Namely, letting b = 2d mod n(n is odd) and m=c + d# 


mod n, (4) turns into 


x2 + 2dx + d? = (xtd)? = m mod n. 


Thus our result follows from 


THEOREM 1: Let AL be an algorithm for finding one of 


the solutions of 
(5) y? = m mod n 


whenever a solution exists, and requiring F(n) steps. 
There exists an algorithm for factoring n requiring 


2F(n) + 2logan steps. 


Proof. Assume that n = peq is a product of two primes, 
the case relevant for EADS The proof easily extends to 
the general case. | 

| For any 0 < k < n, (k,n) = 1, there are exactly four 


solutions for the congruence 


y? = k? mod n. 


Namely, let res(k,p) = r, res(k,q) as then the solutions 

y of this congruence satisfy res(y,p) = ¢r mod p,res(y,q) = 
= ts mod q and each of the four sign combinations gives rise 
to a different solution. Defining for 0 < Yisy2 < Msi VY2 
to mean yi = y3 mod n, we see that this equivalence relation 
decomposes the set 0 < y <n, (y,n) = 1. into classes each 
containing four elements. 

Denote by Ym the solution of (5) by AL for any 


m, (m,n) = 1. If AL produces more than one solution then 
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the factorization algorithm that follows is even further 
facilitated. 

Choose at random a number O0<k<n. If (k,n) #1 
then we directly get a factor of n. In practice, this 
possibility can be neglected. Compute k? = m mod n. 

Compute ki = vm by AL. Now, k is in the equivalence 
class, by the relation v,of k,. In a random choice of 
0 < k <n, all four possible choices of numbers within 


any class are equally likely. Hence with probability 1/2 


~ 
ill 


k,; mod p, k = - ki mod q 


or k 


WH 


k, mod q 


Wt 


- ki mod p, k 
Therefore with probability 1/2 


(6) (k-ki.n) = p or q. 


The computation of Ym requires F(n) steps. The 
computation of the g.c.d. (6) requires at most logon 
subtractions and divisions by 2, of numbers smaller than n. 
Hence the expected number of steps is 2F(n) + 2 logon. 

If we count bit-operations then subtraction of numbers 
smaller than n requires at most logan bit-operations 
and the bound is 2F(n) + 2(logon)?. 

The previous theorem may be strengthened to cover the 
situation that for the given key En.b can be decoded in 


just a small percentage of all cases. 
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THEOREM 2: If AL solves (5) in F(n) steps for 1/e 
of the 0 <m<n, (m,n) = 1, for which (5) has a solution, 
then there is an algorithm for factoring n requiring 


2eF(n) + 2logon steps. 


Proog. As in the proof of Theorem 1, choose a0 < k <n at 
random and compute k?=m mod n. Apply AL to find Ym. 

If the computation runs more than F(n) steps abort it 

and choose another k. Whenever a root k, = ¥m is found, 
compute (k-ki,n). The analysis in the proof of Theorem 1 
implies that with probability 1/2 each such try produces 

a factorization of n. 

The expected number of choices of k leading to a Ym 
is @ and the expected number of successes of AL needed 
for a factorization, is 2. Thus the total expected number 
of steps is 2eF(n) + 2logen. Note that we embark on the 
second phase of the factorization only after a success of 
AL in finding Ym. 

If for example e = 1000, and F(n) were not prohibi- | 
tively large, then an adversary. could factor n in 
2000 F(n) + 2logan steps. Consequently, if no practical 
algorithm for factoring n is possible ,then no practical 


decoding algorithm could work in even 1/1000 of all cases. 
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5. GENERALIZATIONS 


The above method of construction of a one-way function 
can be extended to employ polynomials or powers of x of 
small degrees other than 2. | 

“Assume for example that n = pq, where. p and q 
are primes of the form 3k + 1. The one-way function will 
be E(x) = x'mod n. The decoding is effected by solving 
x® - m = 0 mod p and mod q_ 0by a probabilistic algorithm 
similar to the one used in Section 2. Again one can prove 
that any algorithm for extracting cubic roots leads, for n 
of the above form, to a factorization of n. 

The probability that x* =w mod n is solvable for a 
random w is 1/9. Thus for utilization in signatures the 


quadratic scheme seems best. 
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